Recent Discussions
MHS Permissions / Samsung OEMConfig
Hi All I hope you are well. Anyway, we are rolling out Android Enterprise ZTE tablets in Entra Shared Device Mode and all seems well. Only thing is the MHS app permissions deployed via the Device config profile just don't seem to have worked and also I can't see anywhere in the OEMConfig file to set Power / Sleep options. Does anyone have the correct working settings for these 2 things? Info appreciated. SK
VPP Apps Not Installing via Intune – Error 0x87D127DB Despite Valid Configuration
Hi everyone, We’re currently using Microsoft Intune in combination with Apple Business Manager (ABM) to provision iPhones in our organization. Our setup has worked reliably until recently: in April/May, we successfully deployed 50 iPhones without any issues. However, for the past 10 days, we’ve encountered a persistent issue: VPP apps are no longer installing automatically on newly enrolled devices. ✅ What’s working: Device registration in ABM Syncing devices from ABM to Intune Device renaming, resetting, and syncing via Intune Uninstall Apps using uninstall group of the deployment configuration on existing devices) Disabling devices in ABM and syncing changes to Intune Purchasing new apps in ABM and syncing them to Intune App license counts (total, used, available) are correctly shown in Intune ❌ What’s not working: VPP apps are not being installed. Only one or two icons appear on the home screen with a cloud symbol. Tapping them prompts a message that the app must be downloaded from the App Store. Intune consistently shows the following error: “App installation failed. 0x87D127DB (Unknown)” Occasionally, a message appears stating that VPP licenses could not be found, although all apps have sufficient licenses and Intune reflects this correctly. Troubleshooting steps taken: Devices have been reset multiple times New apps were purchased and assigned with a minimal configuration (one required group) All certificates (MDM push, VPP token, enrollment token, Apple SCIM token) are valid Apple Business Support confirms their services are operational Microsoft Support has not provided a resolution and suspects the issue lies with Apple Apple, in turn, refers us back to Microsoft At this point, we’re stuck between both vendors and are hoping someone in the community has encountered this issue or found a workaround. Has anyone else experienced this behavior or found a solution for the 0x87D127DB error with VPP apps in Intune? Thanks in advance for your help!
Invalid profile
Hi all, I have tried to enrol a device to intune using configurator into apple school manager which works find then gets passed into intune however when I assign a profile (existing or new) it fails. When pressing the enrol button on the ipad it says "invaild profile" I cant go no further all I can do is release from org then try again but I have tried multpile times no luck any ideas?Reset M365 Apps Activation from User to Device
Hi All We have just procured some M365 Apps for Enterprise device based licenses. Now I have followed the initial setup guide of: Creating a security group for the devices Assign this group to the M365 Apps for Enterprise licenses Created an Intune settings catalogue profile to set device based licensing Guide here: Device-based licensing for Microsoft 365 Apps for enterprise - Microsoft 365 Apps | Microsoft Learn While this is great for new devices, the process gets slightly more trickier with devices that are already in use where M365 Apps for Enterprise has already been activated on a "User" type license. From this guide, I can see that the user activation has to be reset using various methods. Reset activation state for Microsoft 365 Apps for enterprise - Microsoft 365 Apps | Microsoft Learn Has anyone got any experience or knowledge on how to do this reset via Intune? Info greatly appreciated. SK
User Profile Deletion
Hi, I have encountered an error when using Intune to delete user profiles. I am new to this and have put bits and pieces together from multiple sources to try and compile a script. I am using a Detect and Remediation Script deployed via Devices > Scrips and Remediation in Intune, to Windows 10 Enterprise 22H2 and Windows 11 Enterprise 24H2. I will attach scripts at the end. My issue is, the scripts detect and remediate as intended on devices that i have recently enrolled. However, we have devices that will have been enrolled in 2023 which doesn't seem to allow the scripts to run. If I then run an autopilot reset on the device, the scripts work fine. The scripts essentials look for user profiles in C:\Users and remove them if they are older than 1 hour. We want to keep disk space as free as possible especially on the lower spec devices. It ignores SYSTEM and any Admin user folder, as we have a separate script to delete the LAPSAdmin only at 8pm, when the workplace is closed. Note: The LAPSAdmin script worked on the older devices before the where autopilot reset. Does anyone know why this could be the case? Does the 1 hour check have issues reaching profiles that are over 2 years old or is there an issue in the script. Thanks, Dean
Auth flow between custom iOS app with Intune SDK and Microsoft edge
We have custom iOS app which is integrated with Intune MAM SDK. We are using Microsoft Edge and managing it by applying Intune protection policies. In our's custom app, the authentication flow launches Microsoft Edge and after authentication completion users are redirected back to the custom app using deep links. We can see the Microsoft Edge browser prompts the user to redirect to our's custom app. But after Allowing it, it fails to redirect with some error Something wrong happened. We have applied same Intune MAM protection policy to both custom app and Microsoft Edge where we setting policy as below: Send org data to other apps: Policy managed apps with Open-In/Share filtering and Receive data from other apps: Policy managed apps So, this flow is expected to work. Is it some bug with Microsoft Edge flow due to which it is not able to launch the custom app ? Note: Authentication flow works without protection policies with other browsers like chrome. It also works when we have Send org data to other apps and Receive data from other apps set to All Apps. But as this is not recommended security policy, we are trying to figure out what is going wrong.QuickAssist Error 1002 - can we no longer run this as a non-admin user on windows 11?
We are heavily reliant on QuickAssist to support our staff. We seem to have a permanant QuickAssist 1002 error on our windows 11 intune manged devices. https://ibb.co/63XTSg7 https://ibb.co/Fq5n0ffM https://ibb.co/LDN6NTC2 Some time ago QuickAssist moved from C:\windows\system32 to C:\Program Files\WindowsApps\ Which is a folder restricted to trusted installer. So the app was heavily changed and probably due to it moving to the store. I think its this fundamental change that is causing the pain for us. Regular non local admin users cannot run it. It just fails out with error 1002. This was at first just affecting a few machines. It seems however it now affects all. As a test I removed a load of policies from a test device just in case the Edge policy or something was affecting it. Still shows the same error. I decided to try go down the LAPS route. Setup a local admin on the device 'lapsadmin'. When running it with that it fails out saying EDGE cannot create the files. After alot of testing and reading up online of other users fixes it seems to be that this program will not really work correctly anymore unless its run as an admin on an local admin logged in account. Anyone have any smart ways to get around this? Just to clarify - we cannot run as .\lapsadmin (a local admin account on the device) we cannot run it as a regular user we cannot run it unless the user logged in is a local admin (which is no good from a security perspective) Thanks!
Windows Autopilot and Configuration Management Client Installation Methods
I'm using Windows Autopilot to build my machines with AzureAD hybrid join. Currently as part of the ESP we deploy the configuration manager client and our VPN software (both Win32 apps) to them so we can get them co-managed ASAP. We also do this in ESP as blocking apps to control the device availability to users until they are completed. Our implementation partner advised us to install the Configuration Manager client in this manner to speed up co-management. Autopilot works (albeit slow at _ 60 mins). I am confused though on whether or not adding the configuration manager client into the autopilot build in this manner is supported? Reading this (Co-manage internet-based devices - Configuration Manager | Microsoft Learn) it states: You can't deploy the Configuration Manager client while provisioning a new computer in Windows Autopilot user-driven mode for hybrid Azure AD join. This limitation is due to the identity change of the device during the hybrid Azure AD-join process. Deploy the Configuration Manager client after the Autopilot process. For alternative options to install the client, see Client installation methods in Configuration Manager. So reading this it seems what we are doing is invalid. So question 1: Is it incorrect/unsupported to install the configuration manager client as a Win32 app during autopilot (ESP or otherwise)? Furthermore I read here (Co-manage internet-based devices - Configuration Manager | Microsoft Learn) that it appears there is no longer a need to to deploy configuration manager client as an app at all but it can simply be configured in it via Home -> Device -> Enroll Devices -> Windows Enrollment > Co-management Authority You no longer need to create and assign an Intune app to install the Configuration Manager client. The Intune enrollment policy automatically installs the Configuration Manager client as a first-party app. The device gets the client content from the Configuration Manager cloud management gateway (CMG), so you don't need to provide and manage the client content in Intune. Is this method only valid post autopilot?
SCEP Profile Missing "Challenge password" & "Validity period" Fields
Hello Intune Community / Microsoft Support, We are trying to set up EAP-TLS with Intune-managed Windows devices, using FortiAuthenticator as our CA/RADIUS. Issue: Our SCEP certificate profiles (under Devices > Configuration profiles) are missing the following critical fields: "Challenge password" "Certificate validity period" Additionally, the section for configuring SCEP connectors is also absent under Tenant administration. Impact: FortiAuthenticator requires a static challenge password for SCEP, but Intune provides no field to set this. This incompatibility is blocking certificate issuance and our EAP-TLS deployment. Steps Verified: Confirmed it's a standard SCEP certificate profile for Windows 10 and later. Fields are genuinely not present after thorough checks. Request: Why are these standard SCEP fields and this configuration section missing in our tenant? How can we proceed with SCEP certificate enrollment, especially with a FortiAuthenticator CA? Thank you for your urgent assistance.Access collections information locally
Is there a way through WMI/Microsoft.SMS.Client comobject to access information from the computer if is in a collection (cached information or otherwise)? I'm not sure if a computer gathers that information somewhere. I can't access that information on the site server or through the AdminService as the account running the commands would be the SYSTEM account. My goal is query if a computer is in a collection and install a piece of software through a task sequence.Intune Proactive Remediation Script Not Working for Normal Users on AVD Multi-Session
Scenario: We are using Azure Virtual Desktop (AVD) multi-session machines that are Azure AD joined and enrolled in Intune. These machines are part of an Application Group where normal Azure AD users are assigned. Users can successfully log in to the AVD session host. What We Are Doing: We are deploying a Proactive Remediation script (now called Remediations) via Intune. The script is designed to show a confirmation popup to the user. In the script package settings, we have selected: > Run this script using the logged-on credentials (i.e., run in user context) What Works: When a Global Administrator logs in to the AVD machine, the popup appears as expected. Logs and script output are generated correctly. What Doesn’t Work: When a normal user logs in (non-admin Azure AD user), the script: Does not show the popup Does not generate logs Appears to not run at all What We Suspect: The issue may be related to lack of local administrator rights for normal users. Since we are using AVD, we are not logging in with local machine administrators. We understand that system context would allow the script to run regardless of user login, but we specifically need user context to show the popup. Questions: Is this expected behavior for Proactive Remediation scripts in user context on AVD multi-session machines? Do normal users need to be local administrators for the script to run properly in user context? Is there a supported way to show popups or UI prompts to normal users via Intune scripts on AVD? Are there any official Microsoft documents or best practices that explain this behavior or provide a workaround? Additional Info: We are using Windows 10/11 Enterprise multi-session Devices are Azure AD joined Scripts are encoded in UTF-8, and logging is implemented Licensing is compliant with Intune and AVD requirements If anyone has encountered this issue or has documentation or a workaround, your help would be greatly appreciated!
Intune MAM - Restrict Application Access to Specific Biometric Profiles
We want our employees to be able to restrict access to company apps on private devices to only specific biometric profiles on the devices. If needed: Are you working together with Apple to make this possible? (e.g. via tiered device control levels / admin password in iOS)Work Profile Contacts in Android Auto BYOD
Hey there, is it possible to List the Contacts from the Android Work-Profile in Android Auto? People in our Organization are not able to search for Work-Profile-Contacts via Android Auto. When Contacts from the Work-Profile are calling, the Name is showing up correctly and is also correctly displayed in the caller history, but when using the Phone app on the cars display it's not possible to find the contacts. What have we tried so far: Installed Android Auto App on Work-Profile Enabled "Connected Apps" Contact Sync via Outlook App Contact Sync via Gmail / Google Contacts Installed Google Phone App on both profiles and set it to the Default call Application Installed Samsung Phone App on both profiles and set it to the Default call Application Enabled the Work Profile Switch in the Android Auto setting (seems only usefull for notifications) Tried different Phone and Car Vendors One more Information: When Using the Call or Contact App on Personal-Profile and searching for Work Contacts, they are showing up as expected. I believe maybe it's not supported by Google? Is anybody facing the same issue or are there some Workaround i have not thought about=
remove intune based kiosk config
I've been experimenting with Kiosk profiles in intune to drive displays in my org. This is working generally well but the other day I wanted to remove the kiosk config so the machine would revert back to a regular login screen upon boot. I deleted the mapping of the machine group to the configuration policy but the kiosk profile continues to apply, or at least the config pushed to the machine that make it auto logon to the kiosk config are still present. How do i properly remove a kiosk profile so it comes off the machine?User Profile Deletion
Hi, I just wanted to pick anyone's brains, in case they have also encountered this or would have any idea why this is the case. I am fairly new to Intune and script writing, to clarify. Basically, we have been working on a Detect and Remediation script that is deployed via Intune (Devices >Ssni Script and Remediations) to Windows 10 (Ent 22H2) and Windows 11 (Ent 24H2) devices. On any fresh enrolled devices, it detects and deletes user profiles completely fine, but fails to even detect profiles on devices that were enrolled a while ago. However, if we run an Autopilot reset on those devices, the script works again. What difference would a freshly built/enrolled device have to an older one, when they also run other scripts fine. The script targets profiles that are older than 1 hour as we want to keep on top of removing profiles consistently to keep disk space low, especially on lower spec laptops. It will exclude SYSTEM profiles and also any *Admin* user folders - as that has a separate script to only delete LAPSAdmin on an evening, when the workplace is closed (8pm UK). This LAPSAdmin script worked fine on the older enrolled devices. Some of the profiles on the machines go back to 2023, is the '1 hour' target not effective against that old of a profile - has it become stale?SS Like I said, I am fairly new to this and have used bits and pieces from different locations to help muster up a script. I thought I had it nailed as it was working on test devices that were just enrolled purely for testing, until I was asked to put it onto another group. Intune doesn't say the script fails - indicating there are no errors. However, I am not saying there isn't. Detect: Remediate: Thanks for your time, Deanbitlocker epm rule
Hello everyone, i tried to create a rule for the management of bitlocker in intune epm so that on the client side it is possible to manage it myself with the evelation “automatic”, the “manage-bde.exe” was released with path and co. but nothing changes. i still need admin credentials. is there any more information about this? lovely regards
Microsoft Intune License not Showing or Applying correctly
HI, So on the endpoint Management Admin Centre I am trying to change the Primary User of a device to a user. The user requires an Intune License. Right now A user has a Microsoft 365 E5 license (Which should include the Intune License) and when I try to change the device's Primary User to the user with the E5 license, I get a message telling me the user does not have an Intune license. I've also checked the Licenses > Agreements Page and there is no Intune option within the license list. Any Ideas?
Azure AD Joined device, without user is local administrator?
Hi, If I reset af Windows 10 device to factory settings, and then after reset logs in using my Office 365 account (With an Enterprise Mobility + Security Licecense added), I then become local administrator. Can we change this behavior somehow? I cant seem to find any valid solution. Or should I enroll the devices using an existing user designed for "Local administrator", and then change user afterwards? Or should I go with a Enrollment manager?
Recent Blogs
- By: Shawn Catlin - Product Manager 2 | Microsoft Intune This is the fourth blog in the "From the frontlines" series focused on frontline worker scenarios. I'm Shawn Catlin, and I’ve had the pr...May 28, 2025
- 3 MIN READImprove efficiency and security with access policies, remote device management, and expanded device inventory capability.May 28, 2025
